Talos Vulnerability Report

TALOS-2016-0184

AB Rockwell Automation MicroLogix 1400 Code Execution Vulnerability

August 11, 2016

CVE Number

CVE-2016-5645

Description

An exploitable Use of Hard-coded Credentials (Undocumented Community String) vulnerability exists in the SNMP functionality of Allen-Bradley Rockwell Automation MicroLogix 1400 Programmable Logic Controller (PLC) Systems. At the most basic level, knowledge of the undocumented community string allows an attacker to read all values accessible via SNMP. In addition to read permissions, the 'wheel' community has the same write privileges as the 'private' community and can modify all writable SNMP OIDs. An attacker can leverage this vulnerability to remotely modify the device firmware, allowing the attacker to run his own malicious code on the device.

In addition to the default, documented SNMP community strings of 'public' (read) and 'private' (read/write), an undocumented community string of 'wheel' (read/write) exists which enables attackers to make unauthorized changes to the devices, such as modification of settings and even conducting malicious firmware updates. It is possible this community string allows access to other untested OIDs, but that has not been tested at this time.

Exploit Proof-of-Concept (optional)

At the most basic level, knowledge of the undocumented community string allows an attacker to read all values accessible via SNMP. The below shows walking Allen Bradley's MIB using the public, private, and wheel community strings. ​Note that the 'public' string is denied access but the '​private' and 'wheel' community strings both return the same results, indicating that 'wheel' provided privileged access.

In addition to read permissions, the 'wheel' community has the same write privileges as the 'private' community. The below demonstrates reading and writing to the SysContact OID. Both the 'private' and 'wheel' community strings are authorized to write to this field.

To demonstrate the risk associated with this undocumented privileged access, the below walks through the process of using the 'wheel' community string to upload a malicious firmware file. The entirety of the attack is conducted using the free and open source applications from the ​Net-SNMP ​project (http://net-snmp.sourceforge.net/wiki/index.php/TUT:snmpwalk).

Execute firmware updates
Setting OID ​1.3.6.1.4.1.95.2.3.1.1.1.1.0 ​to a value of '2' triggers the firmware update process. The PLC attempts to initiate a TFTP file transfer and retrieve the file specified at the IP address of the attacker.

Mitigation

The unencrypted nature of SNMPv1 and v2c communications presents risk from attackers who are able to sniff traffic and capture community strings in transit. The risk of using the plain text protocol would be substantially mitigated by the necessity for an attacker to be in a position to capture traffic to/from the target device (assuming asset owners have changed the default community string values). However, the presence of an undocumented community string significantly increases the risk of attack since attackers no longer need to sniff a valid community string from network traffic.

The ability to change the community string, it is not 'hard-coded', slightly reduces the risk of its use by a malicious actor. However, the undocumented nature of the string leaves asset owners ignorant of its presence and therefore unlikely to change it from the default value.